Ldap-Group DN and the match "=~" check

Phil Mayers p.mayers at imperial.ac.uk
Mon Jul 17 15:09:28 CEST 2006


Thibault Le Meur wrote:
> Hello,
> 
> I've made a little test and found that the match operator "=~" doesn't work
> on my setup (Freeradius 1.0.4) for Groups defined as LDAP DNs.
> 
> Indeed I'd like to to use the following rule (in the users file):
> 
> DEFAULT Ldap-Group =~
> "cn=mygroupname,ou=(unit1|unit2|unit3),dc=mycorp,dc=org"
> 	Fall-Through = no
> 
> This way, a unique rule will match 3 different groups having the same cn,
> but in different subtrees.
> 
> Am I missing something or is this setup impossible with Ldap-Groups ?

You are missing something.

Ldap-Group is not a real attribute that's copied to the config items. 
It's a "virtual" attribute. At runtime, the right-hand-side of the 
comparison is searched for in the LDAP directory.

There's no way to do what you want currently. Source code changes and/or 
clever use of the ldap xlat might do it (see doc/rlm_ldap)



More information about the Freeradius-Users mailing list